mstool-agent 1.0.0

package/.env.example

@@ -0,0 +1,12 @@
+# Agent Node 环境变量
+
+# Platform WebSocket 地址
+PLATFORM_WS_URL=ws://localhost:3000/ws/agent
+
+# 首次注册时设置（注册成功后可删除）
+REGISTRATION_TOKEN=
+
+# 注册成功后自动保存到 .node-credentials.json
+# 也可以手动设置（重连已注册节点时使用）
+# NODE_ID=
+# NODE_SECRET=

package/bin/mstool-agent.js

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+require('tsx/cjs');
+require('../src/index.ts');

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "mstool-agent",
+  "version": "1.0.0",
+  "description": "MSTool Agent Node - AI Agent 运维节点",
+  "main": "src/index.ts",
+  "bin": {
+    "mstool-agent": "./bin/mstool-agent.js"
+  },
+  "scripts": {
+    "start": "node bin/mstool-agent.js"
+  },
+  "dependencies": {
+    "mstool-shared": "^1.0.0",
+    "ws": "^8.18.0",
+    "ssh2": "^1.15.0",
+    "oracledb": "^6.5.1",
+    "mysql2": "^3.10.1",
+    "pg": "^8.12.0",
+    "uuid": "^10.0.0",
+    "node-cron": "^3.0.3",
+    "dotenv": "^16.4.5",
+    "zod": "^3.23.8",
+    "tsx": "^4.19.0"
+  },
+  "keywords": ["mstool", "agent", "ops", "ai"],
+  "license": "MIT",
+  "repository": { "type": "git", "url": "https://github.com/scaleflower/mstools" }
+}

package/src/client.ts

@@ -0,0 +1,186 @@
+import WebSocket from 'ws';
+import { randomUUID } from 'crypto';
+import os from 'os';
+import fs from 'fs';
+import path from 'path';
+import {
+  WsMessage, WsMessageType, WsRegisterPayload, WsRegisterAckPayload,
+  WsToolRequest, WsToolResult, WsError,
+} from 'mstool-shared';
+import { toolRegistry } from './tools';
+
+interface AgentNodeClientOptions {
+  platformUrl: string;
+  registrationToken?: string;
+  nodeId?: string;
+  nodeSecret?: string;
+}
+
+const CREDENTIALS_FILE = path.join(process.cwd(), '.node-credentials.json');
+const VERSION = '1.0.0';
+
+export class AgentNodeClient {
+  private ws: WebSocket | null = null;
+  private reconnectTimer: NodeJS.Timeout | null = null;
+  private nodeId?: string;
+  private nodeSecret?: string;
+  private registrationToken?: string;
+  private platformUrl: string;
+
+  constructor(opts: AgentNodeClientOptions) {
+    this.platformUrl = opts.platformUrl;
+    this.registrationToken = opts.registrationToken;
+    this.nodeId = opts.nodeId;
+    this.nodeSecret = opts.nodeSecret;
+
+    if (!this.nodeId && fs.existsSync(CREDENTIALS_FILE)) {
+      const creds = JSON.parse(fs.readFileSync(CREDENTIALS_FILE, 'utf8'));
+      this.nodeId = creds.nodeId;
+      this.nodeSecret = creds.nodeSecret;
+    }
+  }
+
+  connect() {
+    console.log(`连接到 Platform: ${this.platformUrl}`);
+    this.ws = new WebSocket(this.platformUrl);
+
+    this.ws.on('open', () => {
+      console.log('WebSocket 连接已建立');
+      if (this.registrationToken && !this.nodeId) {
+        this.register();
+      } else if (this.nodeId && this.nodeSecret) {
+        this.authenticate();
+      } else {
+        console.error('缺少注册 Token 或节点凭据');
+        this.ws?.close();
+      }
+    });
+
+    this.ws.on('message', (raw) => {
+      try {
+        const msg: WsMessage = JSON.parse(raw.toString());
+        this.handleMessage(msg);
+      } catch (e) {
+        console.error('消息解析失败', e);
+      }
+    });
+
+    this.ws.on('close', (code, reason) => {
+      console.log(`连接断开 [${code}]: ${reason?.toString()}`);
+      this.scheduleReconnect();
+    });
+
+    this.ws.on('error', (err) => {
+      console.error('WebSocket 错误', err.message);
+    });
+  }
+
+  disconnect() {
+    if (this.reconnectTimer) clearTimeout(this.reconnectTimer);
+    this.ws?.close();
+  }
+
+  private register() {
+    const payload: WsRegisterPayload = {
+      token: this.registrationToken!,
+      version: VERSION,
+      hostname: os.hostname(),
+    };
+    const msg: WsMessage<WsRegisterPayload> = {
+      task_id: randomUUID(),
+      type: WsMessageType.REGISTER,
+      payload,
+    };
+    this.ws!.send(JSON.stringify(msg));
+  }
+
+  private authenticate() {
+    const msg: WsMessage = {
+      task_id: randomUUID(),
+      type: WsMessageType.PING,
+      payload: { nodeId: this.nodeId, nodeSecret: this.nodeSecret, version: VERSION },
+    };
+    this.ws!.send(JSON.stringify(msg));
+  }
+
+  private handleMessage(msg: WsMessage) {
+    switch (msg.type) {
+      case WsMessageType.REGISTER_ACK:
+        this.handleRegisterAck(msg as WsMessage<WsRegisterAckPayload>);
+        break;
+      case WsMessageType.REQUEST:
+        this.handleToolRequest(msg as WsMessage<WsToolRequest>);
+        break;
+      case WsMessageType.PING:
+        this.send({ task_id: msg.task_id, type: WsMessageType.PONG, payload: {} });
+        break;
+      default:
+        console.warn('未知消息类型', msg.type);
+    }
+  }
+
+  private handleRegisterAck(msg: WsMessage<WsRegisterAckPayload>) {
+    const { nodeId, nodeSecret } = msg.payload;
+    this.nodeId = nodeId;
+    this.nodeSecret = nodeSecret;
+    this.registrationToken = undefined;
+
+    fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify({ nodeId, nodeSecret }, null, 2));
+    console.log(`注册成功，Node ID: ${nodeId}`);
+    console.log('凭据已保存到', CREDENTIALS_FILE);
+  }
+
+  private async handleToolRequest(msg: WsMessage<WsToolRequest>) {
+    const { tool, args } = msg.payload;
+    console.log(`执行工具: ${tool}`, JSON.stringify(args).slice(0, 100));
+
+    const toolFn = toolRegistry[tool];
+    if (!toolFn) {
+      this.send({
+        task_id: msg.task_id,
+        type: WsMessageType.ERROR,
+        payload: { code: 'UNKNOWN_TOOL', message: `未知工具: ${tool}` } satisfies WsError,
+      });
+      return;
+    }
+
+    try {
+      const result = await toolFn(args, (chunk: string) => {
+        this.send({
+          task_id: msg.task_id,
+          type: WsMessageType.STREAM_CHUNK,
+          payload: { chunk },
+        });
+      });
+
+      this.send({
+        task_id: msg.task_id,
+        type: WsMessageType.RESULT,
+        payload: { output: result } satisfies WsToolResult,
+      });
+    } catch (e: unknown) {
+      const message = e instanceof Error ? e.message : String(e);
+      this.send({
+        task_id: msg.task_id,
+        type: WsMessageType.ERROR,
+        payload: { code: 'TOOL_ERROR', message } satisfies WsError,
+      });
+    }
+  }
+
+  private send(msg: WsMessage) {
+    if (this.ws?.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(msg));
+    }
+  }
+
+  private scheduleReconnect() {
+    if (this.reconnectTimer) return;
+    const delay = 5000;
+    console.log(`${delay / 1000}s 后重连...`);
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      this.connect();
+    }, delay);
+  }
+}

package/src/credential-store.ts

@@ -0,0 +1,40 @@
+import fs from 'fs';
+import path from 'path';
+
+const STORE_FILE = path.join(process.cwd(), '.db-credentials.json');
+
+interface DbCredential {
+  username: string;
+  password: string;
+  connectString: string;
+}
+
+class CredentialStore {
+  private store: Record<string, DbCredential> = {};
+
+  constructor() {
+    if (fs.existsSync(STORE_FILE)) {
+      try {
+        this.store = JSON.parse(fs.readFileSync(STORE_FILE, 'utf8'));
+      } catch {
+        this.store = {};
+      }
+    }
+  }
+
+  getDbCredential(connectionId: string): DbCredential | undefined {
+    return this.store[connectionId];
+  }
+
+  setDbCredential(connectionId: string, cred: DbCredential) {
+    this.store[connectionId] = cred;
+    fs.writeFileSync(STORE_FILE, JSON.stringify(this.store, null, 2), { mode: 0o600 });
+  }
+
+  removeDbCredential(connectionId: string) {
+    delete this.store[connectionId];
+    fs.writeFileSync(STORE_FILE, JSON.stringify(this.store, null, 2), { mode: 0o600 });
+  }
+}
+
+export const NodeCredentialStore = new CredentialStore();

package/src/index.ts

@@ -0,0 +1,24 @@
+import 'dotenv/config';
+import { AgentNodeClient } from './client';
+
+const PLATFORM_URL = process.env.PLATFORM_WS_URL || 'ws://localhost:3000/ws/agent';
+const REGISTRATION_TOKEN = process.env.REGISTRATION_TOKEN;
+const NODE_ID = process.env.NODE_ID;
+const NODE_SECRET = process.env.NODE_SECRET;
+
+if (!REGISTRATION_TOKEN && (!NODE_ID || !NODE_SECRET)) {
+  console.error('需要设置 REGISTRATION_TOKEN（首次注册）或 NODE_ID + NODE_SECRET（重连）');
+  process.exit(1);
+}
+
+const client = new AgentNodeClient({
+  platformUrl: PLATFORM_URL,
+  registrationToken: REGISTRATION_TOKEN,
+  nodeId: NODE_ID,
+  nodeSecret: NODE_SECRET,
+});
+
+client.connect();
+
+process.on('SIGINT', () => { client.disconnect(); process.exit(0); });
+process.on('SIGTERM', () => { client.disconnect(); process.exit(0); });

package/src/tools/awr.ts

@@ -0,0 +1,52 @@
+interface AwrGenerateOptions {
+  connectionId: string;
+  dbId?: string;
+  instanceNum?: number;
+  beginSnapId: number;
+  endSnapId: number;
+}
+
+export async function awrGenerate(opts: AwrGenerateOptions, onChunk?: (chunk: string) => void): Promise<string> {
+  let oracledb: any;
+  try {
+    oracledb = require('oracledb');
+  } catch {
+    throw new Error('oracledb 模块未安装，无法生成 AWR 报告');
+  }
+
+  const { NodeCredentialStore } = require('../credential-store');
+  const cred = NodeCredentialStore.getDbCredential(opts.connectionId);
+  if (!cred) throw new Error(`未找到连接 ${opts.connectionId} 的凭据`);
+
+  oracledb.fetchAsString = [oracledb.CLOB];
+
+  const connection = await oracledb.getConnection({
+    user: cred.username,
+    password: cred.password,
+    connectString: cred.connectString,
+  });
+
+  onChunk?.('正在生成 AWR 报告...\n');
+
+  try {
+    const dbIdParam = opts.dbId ? `l_db_id => '${opts.dbId}',` : '';
+    const instanceParam = opts.instanceNum != null ? `l_inst_num => ${opts.instanceNum},` : '';
+
+    const result = await connection.execute(
+      `SELECT DBMS_WORKLOAD_REPOSITORY.AWR_REPORT_HTML(
+        ${dbIdParam}
+        ${instanceParam}
+        l_snap_id_set => SYS.AWRRPT_SEQ_TYPE(${opts.beginSnapId}, ${opts.endSnapId}),
+        l_global => 0
+      ) FROM DUAL`,
+      [],
+      { fetchInfo: { 'DBMS_WORKLOAD_REPOSITORY.AWR_REPORT_HTML': { type: oracledb.STRING } } },
+    );
+
+    const html = (result.rows as any[])[0][0];
+    onChunk?.('AWR 报告生成完成\n');
+    return html;
+  } finally {
+    await connection.close();
+  }
+}

package/src/tools/collection.ts

@@ -0,0 +1,67 @@
+import { sshExec } from './ssh';
+
+interface SshConnectionBase {
+  host: string;
+  port: number;
+  username: string;
+  authType: 'key' | 'password';
+  password?: string;
+  jumpHosts: Array<{ host: string; port: number; username: string; authType: 'key' | 'password' }>;
+}
+
+interface CollectMetricsOptions extends SshConnectionBase {}
+
+interface CollectProcessesOptions extends SshConnectionBase {
+  sortBy: 'cpu' | 'memory';
+  limit: number;
+}
+
+const METRICS_SCRIPT = `
+python3 -c "
+import json, os, time
+with open('/proc/meminfo') as f:
+    meminfo = {k.strip(): int(v.split()[0]) for line in f for k, _, v in [line.partition(':')]}
+with open('/proc/stat') as f:
+    cpu_line = f.readline().split()
+idle1 = int(cpu_line[4])
+total1 = sum(int(x) for x in cpu_line[1:])
+time.sleep(0.5)
+with open('/proc/stat') as f:
+    cpu_line = f.readline().split()
+idle2 = int(cpu_line[4])
+total2 = sum(int(x) for x in cpu_line[1:])
+cpu_pct = round((1 - (idle2-idle1)/(total2-total1))*100, 2)
+mem_total = meminfo.get('MemTotal', 0) * 1024
+mem_free = (meminfo.get('MemFree', 0) + meminfo.get('Buffers', 0) + meminfo.get('Cached', 0)) * 1024
+mem_used = mem_total - mem_free
+disk = os.statvfs('/')
+disk_total = disk.f_blocks * disk.f_frsize
+disk_used = (disk.f_blocks - disk.f_bfree) * disk.f_frsize
+print(json.dumps({'cpu_percent': cpu_pct, 'memory_used_bytes': mem_used, 'memory_total_bytes': mem_total, 'memory_percent': round(mem_used/mem_total*100, 2) if mem_total else 0, 'disk_used_bytes': disk_used, 'disk_total_bytes': disk_total, 'network_rx_bytes_per_sec': 0, 'network_tx_bytes_per_sec': 0}))
+" 2>/dev/null || echo '{"error":"python3 not available"}'
+`.trim();
+
+export async function collectMetrics(opts: CollectMetricsOptions) {
+  const output = await sshExec({ ...opts, jumpHosts: opts.jumpHosts, command: METRICS_SCRIPT });
+  try {
+    return JSON.parse(output.trim());
+  } catch {
+    return { raw: output };
+  }
+}
+
+export async function collectProcesses(opts: CollectProcessesOptions) {
+  const sortField = opts.sortBy === 'cpu' ? '%cpu' : '%mem';
+  const cmd = `ps aux --sort=-${sortField} | head -n ${opts.limit + 1} | awk 'NR>1 {print $2,$3,$4,$11}' | head -n ${opts.limit}`;
+  const output = await sshExec({ ...opts, jumpHosts: opts.jumpHosts, command: cmd });
+  const processes = output.trim().split('\n').filter(Boolean).map((line) => {
+    const [pid, cpu, memory, ...nameParts] = line.split(' ');
+    return {
+      pid: parseInt(pid, 10),
+      cpuPercent: parseFloat(cpu),
+      memoryPercent: parseFloat(memory),
+      name: nameParts.join(' '),
+    };
+  });
+  return { processes, collectedAt: new Date().toISOString() };
+}

package/src/tools/database.ts

@@ -0,0 +1,114 @@
+interface DbQueryOptions {
+  connectionId: string;
+  dbType: 'oracle' | 'mysql' | 'postgresql';
+  host: string;
+  port: number;
+  serviceName: string;
+  username: string;
+  password: string;
+  sql: string;
+  maxRows: number;
+}
+
+export async function dbQuery(opts: DbQueryOptions): Promise<unknown> {
+  switch (opts.dbType) {
+    case 'oracle':
+      return queryOracle(opts);
+    case 'mysql':
+      return queryMysql(opts);
+    case 'postgresql':
+      return queryPostgres(opts);
+    default:
+      throw new Error(`不支持的数据库类型: ${opts.dbType}`);
+  }
+}
+
+async function queryOracle(opts: DbQueryOptions) {
+  let oracledb: any;
+  try {
+    oracledb = require('oracledb');
+  } catch {
+    throw new Error('oracledb 模块未安装');
+  }
+
+  oracledb.outFormat = oracledb.OUT_FORMAT_OBJECT;
+  oracledb.fetchAsString = [oracledb.CLOB];
+
+  const connection = await oracledb.getConnection({
+    user: opts.username,
+    password: opts.password,
+    connectString: `${opts.host}:${opts.port}/${opts.serviceName}`,
+  });
+
+  try {
+    const limitedSql = wrapWithRowLimit(opts.sql, opts.maxRows, 'oracle');
+    const result = await connection.execute(limitedSql, [], { maxRows: opts.maxRows });
+    return {
+      columns: result.metaData?.map((c: any) => c.name) ?? [],
+      rows: result.rows ?? [],
+      rowCount: result.rows?.length ?? 0,
+    };
+  } finally {
+    await connection.close();
+  }
+}
+
+async function queryMysql(opts: DbQueryOptions) {
+  const mysql2 = require('mysql2/promise');
+  const connection = await mysql2.createConnection({
+    host: opts.host,
+    port: opts.port,
+    user: opts.username,
+    password: opts.password,
+    database: opts.serviceName,
+  });
+
+  try {
+    const limitedSql = wrapWithRowLimit(opts.sql, opts.maxRows, 'mysql');
+    const [rows, fields] = await connection.execute(limitedSql);
+    return {
+      columns: (fields as any[]).map((f) => f.name),
+      rows,
+      rowCount: (rows as unknown[]).length,
+    };
+  } finally {
+    await connection.end();
+  }
+}
+
+async function queryPostgres(opts: DbQueryOptions) {
+  const { Pool } = require('pg');
+  const pool = new Pool({
+    host: opts.host,
+    port: opts.port,
+    user: opts.username,
+    password: opts.password,
+    database: opts.serviceName,
+  });
+
+  try {
+    const limitedSql = wrapWithRowLimit(opts.sql, opts.maxRows, 'postgresql');
+    const result = await pool.query(limitedSql);
+    return {
+      columns: result.fields.map((f: any) => f.name),
+      rows: result.rows,
+      rowCount: result.rowCount,
+    };
+  } finally {
+    await pool.end();
+  }
+}
+
+function wrapWithRowLimit(sql: string, maxRows: number, dbType: string): string {
+  const trimmed = sql.trim().replace(/;\s*$/, '');
+  switch (dbType) {
+    case 'oracle':
+      return `SELECT * FROM (${trimmed}) WHERE ROWNUM <= ${maxRows}`;
+    case 'mysql':
+      return `${trimmed} LIMIT ${maxRows}`;
+    case 'postgresql':
+      return `${trimmed} LIMIT ${maxRows}`;
+    default:
+      return trimmed;
+  }
+}

package/src/tools/index.ts

@@ -0,0 +1,68 @@
+import { sshExec } from './ssh';
+import { dbQuery } from './database';
+import { collectMetrics, collectProcesses } from './collection';
+import { awrGenerate } from './awr';
+
+type ToolFn = (args: Record<string, unknown>, onChunk?: (chunk: string) => void) => Promise<unknown>;
+
+export const toolRegistry: Record<string, ToolFn> = {
+  ssh_exec: async (args, onChunk) => {
+    return sshExec({
+      host: args.host as string,
+      port: (args.port as number) || 22,
+      username: args.username as string,
+      authType: args.authType as 'key' | 'password',
+      password: args.password as string | undefined,
+      jumpHosts: (args.jumpHosts as any[]) || [],
+      command: args.command as string,
+    }, onChunk);
+  },
+
+  collect_metrics: async (args) => {
+    return collectMetrics({
+      host: args.host as string,
+      port: (args.port as number) || 22,
+      username: args.username as string,
+      authType: args.authType as 'key' | 'password',
+      password: args.password as string | undefined,
+      jumpHosts: (args.jumpHosts as any[]) || [],
+    });
+  },
+
+  collect_processes: async (args) => {
+    return collectProcesses({
+      host: args.host as string,
+      port: (args.port as number) || 22,
+      username: args.username as string,
+      authType: args.authType as 'key' | 'password',
+      password: args.password as string | undefined,
+      jumpHosts: (args.jumpHosts as any[]) || [],
+      sortBy: (args.sortBy as 'cpu' | 'memory') || 'cpu',
+      limit: (args.limit as number) || 20,
+    });
+  },
+
+  db_query: async (args) => {
+    return dbQuery({
+      connectionId: args.connectionId as string,
+      dbType: args.dbType as 'oracle' | 'mysql' | 'postgresql',
+      host: args.host as string,
+      port: args.port as number,
+      serviceName: args.serviceName as string,
+      username: args.username as string,
+      password: args.password as string,
+      sql: args.sql as string,
+      maxRows: (args.maxRows as number) || 100,
+    });
+  },
+
+  awr_generate: async (args, onChunk) => {
+    return awrGenerate({
+      connectionId: args.connectionId as string,
+      dbId: args.dbId as string | undefined,
+      instanceNum: args.instanceNum as number | undefined,
+      beginSnapId: args.beginSnapId as number,
+      endSnapId: args.endSnapId as number,
+    }, onChunk);
+  },
+};

package/src/tools/ssh.ts

@@ -0,0 +1,122 @@
+import { Client, ConnectConfig } from 'ssh2';
+
+interface SshConfig {
+  host: string;
+  port: number;
+  username: string;
+  authType: 'key' | 'password';
+  password?: string;
+  privateKeyPath?: string;
+  jumpHosts: Array<{ host: string; port: number; username: string; authType: 'key' | 'password' }>;
+  command: string;
+}
+
+function getConnectConfig(cfg: Omit<SshConfig, 'command' | 'jumpHosts'>): ConnectConfig {
+  const base: ConnectConfig = {
+    host: cfg.host,
+    port: cfg.port,
+    username: cfg.username,
+    readyTimeout: 15000,
+  };
+
+  if (cfg.authType === 'password' && cfg.password) {
+    base.password = cfg.password;
+  } else {
+    const keyPath = cfg.privateKeyPath || `${process.env.HOME}/.ssh/id_rsa`;
+    try {
+      const fs = require('fs');
+      base.privateKey = fs.readFileSync(keyPath);
+    } catch {
+      throw new Error(`无法读取 SSH 私钥: ${keyPath}`);
+    }
+  }
+
+  return base;
+}
+
+export function sshExec(cfg: SshConfig, onChunk?: (chunk: string) => void): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const output: string[] = [];
+
+    if (cfg.jumpHosts.length === 0) {
+      executeDirectly(cfg, output, onChunk, resolve, reject);
+    } else {
+      executeViaJump(cfg, output, onChunk, resolve, reject);
+    }
+  });
+}
+
+function executeDirectly(
+  cfg: SshConfig,
+  output: string[],
+  onChunk: ((c: string) => void) | undefined,
+  resolve: (v: string) => void,
+  reject: (e: Error) => void,
+) {
+  const conn = new Client();
+  conn.on('ready', () => {
+    conn.exec(cfg.command, (err, stream) => {
+      if (err) { conn.end(); return reject(err); }
+      stream.on('data', (data: Buffer) => {
+        const chunk = data.toString();
+        output.push(chunk);
+        onChunk?.(chunk);
+      });
+      stream.stderr.on('data', (data: Buffer) => {
+        const chunk = `[stderr] ${data.toString()}`;
+        output.push(chunk);
+        onChunk?.(chunk);
+      });
+      stream.on('close', () => { conn.end(); resolve(output.join('')); });
+    });
+  });
+  conn.on('error', reject);
+  conn.connect(getConnectConfig(cfg));
+}
+
+function executeViaJump(
+  cfg: SshConfig,
+  output: string[],
+  onChunk: ((c: string) => void) | undefined,
+  resolve: (v: string) => void,
+  reject: (e: Error) => void,
+) {
+  const jump = cfg.jumpHosts[0];
+  const jumpConn = new Client();
+
+  jumpConn.on('ready', () => {
+    jumpConn.forwardOut('127.0.0.1', 0, cfg.host, cfg.port, (err, stream) => {
+      if (err) { jumpConn.end(); return reject(err); }
+
+      const targetConn = new Client();
+      const targetCfg = { ...cfg, jumpHosts: cfg.jumpHosts.slice(1) };
+
+      targetConn.on('ready', () => {
+        if (targetCfg.jumpHosts.length === 0) {
+          targetConn.exec(cfg.command, (execErr, execStream) => {
+            if (execErr) { targetConn.end(); jumpConn.end(); return reject(execErr); }
+            execStream.on('data', (data: Buffer) => {
+              const chunk = data.toString();
+              output.push(chunk);
+              onChunk?.(chunk);
+            });
+            execStream.stderr.on('data', (data: Buffer) => {
+              const chunk = `[stderr] ${data.toString()}`;
+              output.push(chunk);
+              onChunk?.(chunk);
+            });
+            execStream.on('close', () => {
+              targetConn.end();
+              jumpConn.end();
+              resolve(output.join(''));
+            });
+          });
+        }
+      });
+      targetConn.on('error', (e) => { jumpConn.end(); reject(e); });
+      targetConn.connect({ ...getConnectConfig(cfg), sock: stream });
+    });
+  });
+  jumpConn.on('error', reject);
+  jumpConn.connect(getConnectConfig({ ...jump, privateKeyPath: undefined }));
+}